Hello. We use WSO2 IS 5.8. I have configured SAML Service Provider with transient NameID (Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"). But WSO2 IS always fills up the NameID element with username (for example: <saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">testuser01</saml2:NameID> ....). By saml-core-2.0-os.pdf, chapter 8.3.8 Transient Identifier: "Indicates that the content of the element is an identifier with transient semantics and SHOULD be treated as an opaque and temporary value by the relying party. Transient identifier values MUST be generated in accordance with the rules for SAML identifiers (see Section 1.3.4), ..." By chapter 1.3.4 it (NameID in this case) must be unique identifier, randomly generated. WSO2 IS doesn't generate this NameID as unique, because after logout and new login (with the same username and password) it is set to the same value (testuser01). I see in the source code (org.wso2.carbon.identity.sso.saml.builders.assertion.DefaultSAMLAssertionBuilder, in identity-inbound-auth-saml-5.4.43 package, method setNameId) that nameid is always filled with subject ID (nameId.setValue(authReqDTO.getUser().getAuthenticatedSubjectIdentifier());).
Is it possible to change this behavior? Can subject identifier be changed to randomly generated string? What will be the impact of this change to logout process? Or do we need to write our own SAMLAssertionBuilder with correct method setNameId (which will reflect nameid format)? Best regards, Roman Chrenko
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
